Professional Documents
Culture Documents
AST-0002448 Can Wireless LAN Denial of Service Attacks Be Prevented
AST-0002448 Can Wireless LAN Denial of Service Attacks Be Prevented
AST-0002448 Can Wireless LAN Denial of Service Attacks Be Prevented
are often vulnerable to Denial of Service (DoS) attacks. Wireless Local Area
can lead to DoS. This paper provides an overview of various WLAN DoS
On the contrary, devices such as microwave ovens simply spew energy in the 2.4 GHz band when they
are powered up. Other devices such as wireless video cameras might use a continuous wave modulation
scheme where they are always radiating energy on a given RF channel. If these devices are operating in
the vicinity of a WLAN, they can effectively shut down all WLAN communication because devices will
defer their transmissions until they sense that the medium is idle.
A spoofed disassociation frame also produced the same end result – disassociating the client from the AP. A
deauthetication attack is slightly more effective than disassociation since the client has to first
re-authenticate and then re-associate, i.e. do more work to re-establish the wireless connection.
An attacker can easily circumvent the protocol and monopolize the channel. By initiating transmissions
without waiting for the mandated time during the contention window, the attacker can gain repeated access
to the channel before a legitimate device does. Further, by spoofing the duration field with very large values,
the attacker can convince legitimate stations that the medium is busy and prevent them from gaining
access. Several \ control frames such as Clear to Send (CTS) that are not authenticated can be used with
spoofed duration field values to completely block the channel on multiple frequencies with a single radio.
DoS Detection
A WIPS system should be capable of detecting both PHY and MAC layer DoS attacks. Motorola AirDefense
Enterprise provides the most comprehensive Layer 1 & Layer 2 WLAN DoS detection capabilities available
in the industry. The Motorola AirDefense Enterprise system is capable of detecting 17 different DoS attacks
using attack signatures (e.g., wlan-jack, fata-jack, hunter-killer, etc.) as well as protocol anomaly analysis
(e.g., EAP floods, CTS floods, deauthentication/disassociation, virtual carrier exploits, etc.). Further, unlike
competitive solutions, AirDefense Enterprise is capable of detecting non-WLAN sources of interference
that could be causing intentional or accidental DoS. Figure 5 depicts the spectrum analysis capability of
AirDefense Enterprise that can be leveraged effectively to detect Layer 1 DoS attacks and classify the type
of source.
DoS Mitigation
Most DoS attacks cannot be mitigated. Unintentional attacks, such as interference from neighboring WLANs
or co-located devices such as microwave ovens, can be mitigated by changing the channel plan for the
WLAN. The Motorola WLAN includes SmartRF algorithms that can automatically determine the optimum
channels based on changing real-time conditions. Motorola AirDefense Enterprise DoS alarms can be
leveraged by WLAN management systems to trigger a reconfiguration of the operating channels to minimize
interference.
However, a determined attacker can always disrupt a WLAN. Some WIPS vendors misleadingly assert
that they can “prevent” DoS attacks. One vendor in particular claims that they can use their sensors to
effectively prevent the attacker from gaining access to the channel, while allowing authorized devices to
communicate, by using a mechanism similar to that described in Figure 4. The vendor claims that they can
spoof duration fields in their transmissions and reserve the channel for authorized devices while denying
them to the attacker. It is based on the flawed assumption that the attacker is playing in accordance with
the 802.11 rules and will listen to them! The attacker can simply ignore the channel reservation attempted
by spoofed frames from the WIPS sensor and continue to transmit numerous deauthentication frames.
The authorized devices need to hear just one to end the wireless session. Further, the attacker can always
mount a physical layer attack that is totally immune to the proposed technique. By attempting to orchestrate
transmit opportunities for valid devices in a proprietary manner, the vendor’s system will result in significant
The only guaranteed mechanism to neutralize an intentional DoS attack is to find and eliminate the attacker.
For that, the WIPS needs to be able to accurately detect both Layer 1 and Layer 2 DoS, locate the source
as well as provide flexible notification mechanisms that integrate with the enterprise’s physical security
infrastructure to capture and neutralize the attacker.
Forensic Analysis
Real-time DoS attack detection is important. However, the ability to analyze minute-by-minute wireless
behavior with a historical perspective is indispensable for detecting sophisticated and persistent WLAN
attacks. AirDefense Enterprise allows organizations to trace any suspicious device by rewinding and
reviewing minute-by-minute records of connectivity and communication with the WLAN, thereby facilitating
forensic investigations. Wireless activity is logged and data is stored in a tamper-proof way to ensure a full
audit trail is maintained. AirDefense Enterprise maintains 325 different statistics for every wireless device,
every minute, and is capable of storing this data for months. By analyzing patterns over a period of time,
even subtle DoS scenarios can be unearthed. Sophisticated capabilities such as historical location tacking
can be utilized to determine the physical whereabouts of the attacker, over time, and can be vital in nabbing
the culprit.
Motorola offers a comprehensive portfolio of wireless LAN (WLAN) infrastructure solutions designed
to enable the truly wireless enterprise, regardless of the size of your business — from large enterprises
with locations all over the world to branch offices and small businesses. Delivering Internet protocol (IP)
coverage to virtually all spaces both indoors and outdoors, Motorola’s innovative wireless enterprise
portfolio includes fixed broadband, mesh, enterprise WLAN and Motorola AirDefense wireless security
solutions. With time-proven resiliency, security and performance equal to or greater than that of a wired
network, Motorola’s solutions substantially reduce network deployment and maintenance costs, and
ensure the availability of cost-effective wireless connectivity in every corner of the enterprise. The
result is the truly wireless enterprise — offering full mobility at a fraction of the cost of a traditional
wired network.
Part number WP-WLAN-DENIAL. Printed in USA 12/09. MOTOROLA and the Stylized M Logo are registered in the
US Patent & Trademark Office. All other product or service names are the property of their respective owners.
©Motorola, Inc. 2009. All rights reserved. For system, product or services availability and specific information within
your country, please contact your local Motorola office or Business Partner. Specifications are subject to change
without notice.